NCC-CSIRT alerts consumers to BlackByte Ransomware disabling security products

*The Nigerian Communications Commission-Computer Security Incident Response Team’s advisory explains how the cyberthreat exploits the security issue allowing it to disable drivers that prevent multiple EDR and antivirus products from operating normally

Gbenga Kayode | ConsumerConnect

As part of the Commission’s consumer protection initiatives, the Nigerian Communications Commission’s Computer Security Incident Response Team (NCC-CSIRT) has flagged the BlackByte Ransomware, a high-impact threat to Windows Operating System (OS).

ConsumerConnect reports the telecoms sector regulatory Commission disclosed the cyberthreat has the capacity to bypass protections by disabling over 1,000 drivers used by various security solutions.

Mr. Reuben Muoka, Director of Public Affairs at NCC, at the weekend, said the NCC-CSIRT advisory noted that the BlackByte Ransomware gang, which is using a new technique that researchers called, “Bring Your Own Vulnerable Driver”, is exploiting the security issue that allowed it to disable drivers that prevent multiple Endpoint Detection and Response (EDR) and antivirus products like Avast, Sandboxie, Windows DbgHelp Library, and Comodo Internet Security, from operating normally.

READ ALSO Cybersecurity: NCC-CSIRT Alerts Consumers To Google Chrome Extensions Malware

“Recent attacks attributed to this group involved a version of the MSI Afterburner RTCore64.sys driver, which is vulnerable to a privilege escalation and code execution flaw tracked as CVE-2019-16098,” stated the NCC-CSIRT advisory.

It also said the “Bring Your Own Vulnerable Driver” (BYOVD) method is effective because the vulnerable drivers are signed with a valid certificate and run with high privileges on the system.

The Team cited two notable recent examples of BYOVD attacks to include Lazarus, abusing a buggy Dell driver and unknown hackers abusing an anti-cheat driver/module for the Genshin Impact game.

RELATED  Cybersecurity: NCC-CSIRT Offers Countermeasures Against Website Scams On Microsoft Edge Browser

The NCC-CSIRT advisory, therefore, recommended that system administrators protect against BlackByte’s new security bypassing trick by adding the particular MSI driver to an active blocklist, monitoring all driver installation events, and scrutinising them frequently to find any rogue injections that do not have a hardware match.

The CSIRT is the telecoms sector’s cybersecurity incidence centre the NCC set up to focus on incidents in the telecoms sector, and as they may affect telecoms consumers in particular and citizens at large.

READ ALSO: Telecoms Regulator Urges Responsible Use Of Internet, Protection Of Telecoms Infrastructure

The CSIRT also works, collaboratively, with the Nigeria Computer Emergency Response Team (ngCERT) the Federal Government established to reduce the volume of future computer risk incidents.

The NCC stated the teams are mandated to prepare, protect, and secure the Nigerian cyberspace, to forestall attacks and problems, or related events in the country’s ecosystem.

Kindly Share This Story